Enter Player Zhe

In the last post we discussed how the timezone where Guccifer2.0. altered their documents was likely  GMT+3. Examples of possible locations include:

Russian / Russian Influenced East European Islamic
MSK – Moscow Time:

Eastern Russia, Ukraine (Crimea, Donetsk …), Georgia (parts), Belarus

EEST – East Europe (Summer):

Ukraine (part), Romania, Bulgaria, Moldovia, Lithuania, {Finland}

EEST – East Europe (Summer): Turkey, Syria, Lebanon, Cyprus
AST – Arabia: Saudi Arabia, Iraq
EAT – East Africa: Somalia, Uganda

In my view there’s five main actor groups within those countries that could marry with the motivation for Guccifer2.0. The first three: 1) Russian state, 2) criminal hackers, and 3) Islamic hackers I see as less likely and I’ve done some quick pros and cons in the images below. Click here to see the text with links:

Which leaves my last two and strongest candidates: 4) “Hackerville” Romania, and 5) Cyber-Berkut.

Player 1: “Hackerville” Romania

I outlined one Romanian candidate in my second post, and received some healthy criticism for what was a post short on detail and long on allegations. (To be honest I didn’t think anyone would read it!) It now seems appropriate to fill in some gaps as there are some very solid reasons to suggest that Guccifer2.0. is in fact what he says: a Romanian hacker.

To understand why Romania is such a strong candidate one has to realise that in Romania Guccifer1.0 is a celebrity. Exclusive interviews with him are events on major TV channels. To Romanian hackers he is a hero, maybe even a martyr. G2.0. may be a message to the powerful: we will not stop. There will be a Guccifer3.0. and a 4.0. To understand their mentality watch “Hackerville”

As can be seen in the video it’s a closed-knit group that learn from and teach each other. And would want to avenge the capture of G1.0.

Could Guccifer1.0. hacks live on…?

The list that Guccifer1.0 hacked is a long one. In common with other hackers some of his releases were simply lists of contact details and emails of people: targets for future hacks by him or others. It’s possible, even probable, that his methods and data would be shared among the hacking community in Romania and elsewhere.

Shared, or sold. A download purported to be 7Gb of Guccifer1.0. files was offered for sale with a message in Romanian. A torrent was later posted which doesn’t seem to work at the time of writing, and some Google Drive links that require approval from whoever it is that owns them. Sales of data like this are common; read this hacking tale, look for [ 5.2 – Buying Access ].

We know of at least 70 Gigabytes of publicly unreleased data, that was handed over to the FBI when he was arrested. How much of this had already been shared …? Just the 7Gb or the 70?

For examples of how his hacks might “live on”:

Then when we look at the DNC emails:

  • In 2013 he also hacked Sidney Blumenthal, and through him, HRC.
  • Is it possible that the out-of-date DNC list that was used for phishing originate from these hacks? The dates would fit.

All of this may be quickly answered if Guccifer2.0. isn’t even a Romanian at all. This would clearly rule out Florica Catalin Gabriel and his merry band.

The most well known criticism for the idea that Guccifer2.0. is Romanian comes from this Motherboard article where the writer “interviews” Guccifer via online chat. It’s not clear which chat provider they used, but Twitter seems the most likely.

One point of doubt seems to be some unusual (they claim) speech patterns. Not incorrect Romanian, just unusual. But when conversing with a non-native English speaker I’m likely to use unusual speech patterns in order to make myself understood. I might say “would you like a glass of Coca-cola?” rather than “you wanna coke?”

Then there’s the lack of indefinite articles, which Romanian possesses but Russian doesn’t. But this is no major issue according to a language expert they cite:

But not everyone is that sure. M.J. Connolly, a professor of Slavic and Eastern European linguistics at Boston College, said that Russians tend not to carry the construction using the word “language” after the language name (such as “Russian language,” or “Romanian language”) when they speak English.

Connolly added that Guccifer 2.0’s English actually doesn’t show some Russian traces he would have expected, such as how at times the hacker does use some indefinite articles, and doesn’t substitute present tenses for past tenses.

“All I can say is: no smoking gun here,” Connolly said in an email. “The English is very East Euro web talk, which Russians and Romanians and all Eastern Europeans share but, as I’ve pointed out already, many of the traits are non-Russian.”

For Connolly, the hacker could also be Moldovan, given that the country is a mixed Romanian-Russian environment and many Moldovans, especially the anti-Russian ones, “will identify as Romanian.”

But Motherboard aren’t feint of heart. A professor saying he has “many non-Russian traits” isn’t enough to stop Motherboard saying that he’s Russian.

There are two other problems with the attribution to Russia rather than Romania: The accents in the text, and the spelling mistakes.

To get those accents on a Russian keyboard is difficult, and would require either a virtual keyboard, or advance knowledge of the key-combinations to achieve such an accent. Compare a Russian and Romanian Keyboard:

We can see that a Russian keyboard entirely lacks the cedilla and tilde accented characters while they exist on a Romanian keyboard. Are we to believe it’s a Russian using a Romanian keyboard – just in case?

Another theory I’ve seen advanced is that both parties – the journalist and G2.0. could have been using Google Translate. This theory falls down because of the spelling mistakes that G2.0. does in his Romanian. Google Translate doesn’t do spelling mistakes, so it would be perfect spelling that’s suspicious.

The Motherboard criticism isn’t at all convincing.

Guccifer2.0. could easily be Romanian as he claims.

What then of Mr Florica Catalin Gabriel and the links between his THCServers and sites linked to phishing and other scams? They are there. It’s clear that Mr Florica Catalin Gabriel has taken personal command of fraudulent websites like Hminers, so he’s not a simple bystander, but could be just a scammer with a bitcoin payment no-questions-asked webhost business on the side. It’s possible that all the links are just co-incidences.

But he could also be … you know … him. He seems to be at the centre of all that is Hackerville and it’s possible that we and the FBI are missing the bloomin’ obvious. Maybe my next player may use Mr Florica Catalin Gabriel’s services …

Player 2: Cyber-Berkut

These long established hacktivists support the Russian-side in the Ukraine conflict so are are against supporters of the pro-western fraction of the Ukraine – like Obama, the EU, Soros, NATO and especially HRC.

The main similarities between Guccifer2.0 and Cyber-Berkut are technical. Take for example the source of G2.0’s 1.doc (right side) and this file on C-B (left side) which is a “technical report” of their claimed hack of Anton Gerashchenko:

The same:

  • Russian language codes. (As pro-Russian Ukrainians they would consider themselves Russian).
  • Base font sets (excluding the extra fonts in 1.doc), with font language 204 (Cyrillic).
  • Use of a .doc file saved as a .rtf which results in
    • the same creation of two versions of every image, wmf and png
    • a datastore MSXML2 SAXXMLReader
    • BUT this Cyber-Berkut file uses version 6.0 while 1.doc has version 5.0.
    • Win32FileTime of GMT +3
  • They use mediafire for file hosting, and saved in a 7z file format, just as G2.0. does

The C-B files author translates in Windows-1251 encoding as “Павел Мастипан”. Within the document there’s several mentions of krivstar.net, the same network (but different IPs) to which Podesta’s emails were phished (more details below). On another (this time Soros) document there’s even a “Confidential” watermark like the one in 1.doc.

So who are Cyber-Berkut? Well, Trend Micro has a handle on their identities:

  1. Alexander Ulyanov, a 32 year-old Russian, who goes by the hacker name  MDV, and whose twitter is http://twitter.com/CyberBerkut
  2. August “Artemov” Pasternak, a 24 year-old Ukrainian. Hacker name; Artemov or Artemova.
  3. Zac Olden, an Australian of unknown age. His hacker name is the rather smart “Mink”. He’s on twitter at http://twitter.com/zacolden.

This last one – an Aussie – is a surprise, but seems to check out with the url’s in the English version of the site.

He has a website with the fabulous name of ӂ.com. He also has a github  where he’s been making regular contributions to private repositories. And a pastebin. He seems mainly to be a php developer. It just happens that the code for the phishing software on DCLeaks was all php.

The nameservers of ӂ.com point to which is cloud based on OVH – just like our friends at THCservers. Just another co-incidence. There seems to be a lot of them. DCLeaks, G2.0., Cyber-Berkut, and G1.0. seem to be hacking the same people.


That’s a lot of co-incidences:

  1. At least one of the documents that DCLeaks released about Soros is exactly the same document as previously released by Cyber-Berkut. The same hack, or a different hack? Or are they mates who share information?
  2. G1.0. hacks Colin Powell. DCLeaks hack Colin Powell
  3. Clinton’s emails get positively incestuous:
    1. Cyber-Berkut release emails from the Clinton Global Initiative / President Clinton  some of which are retweeted by wikileaks (both run by Australians).
    2. G1.0. claims to have hacked clintonemail.com
    3. Clinton’s head of staff Podesta has his emails phished to a Ukrainian internet provider (which appears in Cyber-Burkut documents) which are later released on wikileaks
    4. G2.0. “hacks the DNC” and releases altered documents from the Podesta phishing.
  4. Everyone seems to end up being hosted in Cloudflare or OVH.
  5. Cyber-Berkut take Ukrainian TV stations off air. TV-5 has their service hacked.

The Podesta phishing emails resolved to a mobile phone broadband provider in Ukraine.  Some mobile phone companies also provide fixed line broadband too but we potentially have a phone user physically in Ukraine.

The IP resolves to a town called Dnipro, which is in central east Ukrainein the Russian sphere of influence (Edit: vide infra, and my reply: this is not in the Russian controlled area). This could be highly relevant; from Wikipedia:

“On 5 February 2015 Kyivstar officially gave up its base stations in territory controlled by pro-Russian separatists during the War in Donbass.[3] The following months the company accused the separatists Donetsk People’s Republic of setting up its own mobile network operator using these base stations.[3] On 18 April 2015 pro-Russian separatist leader Aleksandr Zakharchenko issued a decree stating that all equipment that Kyivstar gave up falls under the control of the separatists in order to “meet the needs of the population in the communication services”.[3] Kyivstar’s president Petro Chernyshov labelled the Donetsk People’s Republic operator “It’s just robbery””

The implication is that the Podesta emails were phished to a separatist-controlled (??) mobile phone zone in Ukraine. Cyber-Berkut support the separatist movement, and their documents have technical similarities to Guccifer2.0.’s documents, and who have also hacked the same Soros document that later appears on DCLeaks!

There’s more co-incidences. Paul Manafort (the first person indicted by Mueller) worked for the hardline pro-Russian former PM Yanokovich. Cyber Berkut warn in April 2016 that the June 2016 visit of Ukrainians to the USA (we presume the June 15th meeting with Biden) would seek to attack Manafort.

They say:

“As we have discovered, the documents were handed over to Boris Lozhkin during his meeting with Evan Ryan, the US Assistant Secretary of State for Educational and Cultural Affairs, in Washington. They were only a part of a larger campaign of the US State Department to discredit Manafort who held at that time the post of Donald Trump’s campaign chief.

Taking into consideration nearly a decade of Manafort’s work as the political adviser in Ukraine, supporters of Hillary Clinton in the Department of State decided to use their power. They set a task to the Ukrainian leadership to find some dirt on Manafort and make it public.

The wishes of their bosses were transmitted to Kiev via Valery Chaly, the Ambassador of Ukraine to Washington who previously was the Deputy Head of the Presidential Administration of Ukraine.”

This letter they release is from the friendly, harmless, non-partisan, never-done-anything-wrong, kind-to-animals folks who formed FusionGPS.

They include various court documents that involve Manafort, and Yulia Tymoshenko (former PM of Ukraine and great friend of HRC), :

Click to access 29.pdf

Click to access 45-main.pdf

Click to access 50-main.pdf

Read more here. As an aside; the court documents find parallels between two female politicians losing an election and then blaming foreign influences. Both female politicians know each other, but the American one is mild (“they are deplorables”) in comparison to the Ukrainian (“kill 8 million of them with nuclear weapons“).

The accusation is that parts of the US state conspired with parts of the Ukrainian state to dig for dirt on Manafort. Just as the FusionGPS founders were digging dirt on Manafort. This is two months before the June ’16 Ukrainian meeting with Biden and four months before Manafort steps down as a Trump advisor.


We have two strong candidates for Guccifer2.0.: I) Hackerville Romania, a band of digital pickpockets, and II) Cyber-Berkut an ideologically driven pro-Russian group. Both have the skills, and both have circumstantial evidence linking them to Guccifer2.0.

As to which one is more likely, I can only guess, but maybe it’s both. There seems to be information exchange between all the groups. Maybe they are the same group. Maybe there’s a chatroom somewhere where they’re laughing at all of us.

Or, maybe the key is ӂ.

This character ӂ, Zac Olden’s character, is pronounced Zhe and is used in Gagauz and Romanian/Moldovan languages. Potentially, tentatively, if Zac (aka mink) has any Romanian/Moldovian ancestry as ӂ suggests then we have someone who ticks every single box. It could explain why he speaks non-native English, and non-native Romanian. It could explain why Guccifer2.0. is named “Guccifer2.0.” It could explain why there’s so many connections between G2.0., G1.0., Cyber-Berkut, and DCLeaks. He could be the bridge between them all. He could be – him.

Or maybe there’s nothing to see here …

   '|'˜¨¯¨'˜¯\/'˜¨¯¨'˜˜¨¯'\‚  |˜¨¯¨˜'|'‚ |\˜¨¯¨¨˜\  |\˜¨¯¨¨˜'\      |˜¨¯¨˜'|  '|˜¨¯¨˜'|  
   /           '/|\        \'‚|     '|   |'\      \'| '\      \ '   |     '| '/      /|‘
  '|      '|\ '/ / |       |  |     '|  '\  '\     '\   '\     '\   |     '| /¸_¸_¸/'/  
 '/      '/\ \_/ / /      /|  |     '|    \  |       \   |      |'‚ |     '| \˜¨¯¨˜\/‘  
'|       |  \|_|/ /     / '|  |     '|      \|      |\;\ |     '|   |     '| '\     \'  
 |\¸_¸_¸ \       |¸_¸_¸'| /‘  |¸_¸_¸_|      /¸_¸¸_'/|  '\¸_¸¸_¸/|   |¸_¸_¸_|   |¸_¸_¸|  
| |˜¨¯¨˜'|      '|˜¨¯¨˜˜| /‘  |˜¨¯¨˜'|°    |'˜¨¯¨¨'||\  |˜¨¨˜'| |   |˜¨¯¨˜'|  '|˜¨¯¨˜|  
 \|¸_¸_¸_|      '|¸_¸_¸'|/'   |¸_¸_¸_|     |¸_¸¸_'_|/ '\|¸_¸¸_|/'   |¸_¸_'_|  '|¸_¸_'|'    
nothing to see here.

12 thoughts on “Enter Player Zhe

  1. Dnipro is NOT in separatist zone of east Ukraine.
    In fact, it is the home base of right-wing Yulia Tymoshenko (Hillary’s pal above), who wanted to vaporize Russian-speaking Ukrainians with a nuclear bomb.


    • Thanks Steve. The more I read about the Ukrainian and DNC ties (Hi Alex) the more suspicious I get. How easy would it be to have your friends hack your servers, blame the enemies of your friends (Russia and even worse – Ukrainians that support Russia), and at the same time discredit Manafort who works for “the wrong side” on both sides of the Atlantic?


  2. Cyber Berkut post dated 4.11.2016 was written in November, NOT April. Look at syntax of post on same page dated 22.10.2016.


  3. Despite the drama Ramnicu Valcea hackers of some of the least sophisticated in Romania. Bottom line is they’re tiaălosi and hoti. While I dont know Cata I do know people that do and they say he is just another thief without sophisticated ability.Those that doi possess the ability in Romania would never allow themselves to be filmed or photographed. To contact them one would need to go through several layers of human and digital shields Ctber Berkut is infinitely more likely and those guys have a far greater skill level


  4. additionally Romanians are pretty much apolitical outside of Romanian politics. Romanian hackers are after only 1 thing – money. Whereas Ukrainians, especially those in Donbas are for all intents and purposes in a vise between the west and RU – they are highly politically motivated


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s